DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Almost 280,000 to be notified of hack at Northwest Florida State College; ID theft reported

Posted on October 10, 2012 by Dissent

Jim Turner reports:

An information security breach has been reported involving employee and student records at Northwest Florida State College in Niceville.

[…]

According to the state Department of Education, the breach included more than 3,000 employee records and approximately 76,000 Northwest College student records containing personal identification information; and approximately 200,000 records with information including names, Social Security numbers, dates of birth, ethnicity, and gender for students across the state who were eligible for Bright Futures scholarships for the 2005-06 and 2006-07 school years.

Read more on Sunshine State News.

The college has set up a web site for the breach.  According to their update today:

The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number. The Bright Futures scholars’ data file includes all State of Florida Bright Futures eligible students during the 2005-06 and 2006- 07 academic years. This data file contains student names, Social Security numbers, dates of birth, ethnicity and gender. No student academic files have been compromised.

The college reports that the breach was discovered following an internal review conducted between October 1 – 5  after the college started receiving reports from employees of fraud.  Even the college’s president became a victim.

In a memo to employee sent on October 8 via e-mail, the college informed them:

We know from May 21, 2012 until September 24, 2012 one or more hackers accessed one folder on our main server. This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees.

We know by working between files data regarding Name, Social Security Number, Date of Birth, and Direct Deposit Account numbers were accessed. Additional directory information such as address, phone numbers, college email address, etc. was also likely compromised.

We know three specific mechanisms have been used to engage in identity theft. The first is to use PayDayMax, Inc. as a conduit for taking out a personal loan which is repaid by debiting your bank account. The second is the same process using Discount Advance Loans. The third is to apply for a Home Depot Credit Card in an employee’s name and then use that card.

We know current employees and all retirees/past employees since 2002 that have had direct deposit of their pay have the potential to have had their information compromised.

The college says that the system has now been secured.

Kudos to the college for doing a terrific job of notifying employees promptly and issuing timely updates as they learn more.

No related posts.

Category: Education SectorHackOf NoteU.S.

Post navigation

← How Zappos’ User Agreement Failed In Court and Left Zappos Legally Naked
Ca: Bar and lounge workers warned of potential privacy breach (update1) →

5 thoughts on “Almost 280,000 to be notified of hack at Northwest Florida State College; ID theft reported”

  1. Sheila says:
    October 10, 2012 at 8:48 pm

    [The NWFSC student information compromised in the security breach contains public directory information including name and address, as well as confidential student data including birth date and Social Security number.]

    DOB is directory information, not confidential, isn’t it?

    1. admin says:
      October 10, 2012 at 9:14 pm

      Many schools do not include DOB as directory info, because the “Directory Information” is defined as elements of the education records that would generally not be considered an invasion of privacy. That said, schools are allowed to define “Directory Information,” so some schools, like Clemson, disclose – without consent – a slew of information (see http://www.registrar.clemson.edu/ferpa/directoryInfo.htm for Clemson’s definition).

      1. Sheila says:
        October 10, 2012 at 9:37 pm

        Learned something new. Hadn’t thought about it that way. thanks.

        Terrible breach. SSN, ethnicity & gender.

        [Information including names, Social Security numbers, dates of birth, ethnicity, and gender for students across the state who were eligible for Bright Futures scholarships for the 2005-06 and 2006-07 school years]

  2. Sheila says:
    October 10, 2012 at 9:41 pm

    Wow, just looked at Clemson’s directory information.

    http://www.registrar.clemson.edu/ferpa/directoryInfo.htm

    Learned some more about FERPA.

    1. admin says:
      October 11, 2012 at 7:16 am

      I don’t want to single out Clemson – it was just a convenient example of how much info can be disclosed without consent under FERPA. NWFLSC’s policy/definition is:

      Although the following directory information may be released at the discretion of the college, the college does not routinely release such information to third parties: name, address, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, photographs, dates of attendance, enrollment status, degrees and awards received, and the most previous education agency or institution attended. In addition to directory information, the college is required by law to release to the United States Armed Forces student recruiting information which may include the student’s name, address, phone number, date and place of birth, level of education, most recent previous institution attended, major field of study, and degrees received.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mississippi Law Firm Sues Cyber Insurer Over Coverage for Scam
  • Ukrainian Hackers Wipe 47TB of Data from Top Russian Military Drone Supplier
  • Computer Whiz Gets Suspended Sentence over 2019 Revenue Agency Data Breach
  • Ministry of Defence data breach timeline
  • Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan
  • A year after cyber attack, Columbus could invest $23M in cybersecurity upgrades
  • Gravity Forms Breach Hits 1M WordPress Sites
  • Stormous claims to have protected health info on 600,000 patients of North Country Healthcare. The patient data appears fake. (2)
  • Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)
  • A Balancing Act: Privacy Issues And Responding to A Federal Subpoena Investigating Transgender Care
  • Here’s What a Reproductive Police State Looks Like
  • Meta investors, Zuckerberg to square off at $8 billion trial over alleged privacy violations
  • Australian law is now clearer about clinicians’ discretion to tell our patients’ relatives about their genetic risk
  • The ICO’s AI and biometrics strategy
  • Trump Border Czar Boasts ICE Can ‘Briefly Detain’ People Based On ‘Physical Appearance’

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.